Cybersecurity authorities and threat analysts unveiled alarming details Thursday about a suspected China state-sponsored espionage and data theft campaign that Google previously warned about in September. The outlook based on their limited visibility into China’s sustained ability to burrow into critical infrastructure and government agency networks undetected, dating back to at least 2022, is grim.
“State-sponsored actors are not just infiltrating networks, they are embedding themselves to enable long-term access, disruptions and potential sabotage,” Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said during a media briefing.
Brickstorm, a backdoor which Andersen described as a “terribly sophisticated piece of malware,” has allowed the attackers to achieve persistent access with an average duration of 393 days to support immediate data theft and follow-on pivots to other malicious activity, Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop.
“We believe dozens of organizations in the United States have been impacted by Brickstorm, not including downstream victims,” Larsen said.
CISA, the National Security Agency and the Canadian Centre for Cyber Security released an analysis report on Brickstorm, which targets VMware vSphere and Windows environments to conceal activity, achieve lateral movement and tunnel into victim networks while also automatically reinstalling or restarting the malware if disrupted. CISA provided indicators of compromise based on eight Brickstorm samples it obtained from victim organizations.
China state-sponsored attackers are primarily implanting Brickstorm into the networks of organizations in government, IT and legal services, and targeting edge devices, software as a service providers and business process outsourcers to gain access to downstream targets, according to officials and researchers.
Andersen declined to say how many government agencies have been impacted or the type of data stolen, but the scope of assumed impact is far greater than what’s been uncovered to date. “I think it’s a logical conclusion to assume that there are additional victims out there that we have not yet had the opportunity to communicate with,” he said.
CrowdStrike, which attributes the attacks to Warp Panda, and GTIG, which attributes the activity to UNC5221, both said the Brickstorm campaign goes back to at least 2022. Yet, the intrusions involving Brickstorm weren’t detected until last summer.
“Their infrastructure expansion, evolution of their tooling, and continued ability to exploit cloud misconfigurations all point to a campaign that remains highly active,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike.
CrowdStrike said it also observed Warp Panda deploy two previously unobserved implants called Junction and GuestConduit. All of the malware is written in Golang.
The threat group has stolen configuration data, identity metadata, documents and emails on topics that align with China’s government interest, Meyers said.
“While we haven’t observed destructive follow-on actions, the intelligence value alone is significant. Access to this kind of cloud-resident data gives a state actor the ability to map infrastructure, study dependencies, and position themselves for future operations,” he added. “That’s what makes this campaign so dangerous, it’s espionage with strategic depth.”
CISA provided details about a 2024 attack on an unnamed organization’s internal network as an example of the threat group’s operations, but much remains unknown. Authorities still don’t know key details about how attackers obtained initial access in that incident, when the webshell was implanted or how they obtained credentials for a second account to move laterally to a domain controller using remote desktop protocol.
Attackers involved in that incident copied the organization’s Active Directory database, obtained credentials for a managed service provider account and used those credentials to move from the internal domain controller to the VMware vCenter server. Officials said the attackers also jumped multiple servers to steal cryptographic keys and elevated privileges, which allowed them to deploy Brickstorm malware in the server’s directory.
The attacks revive and amplify enduring concerns about China’s cyberespionage activity, mirroring other campaigns with similar objectives based on living-off-the-land techniques attributed to other prominent China state-sponsored threat groups.
“Compared to past China-nexus efforts, this campaign represents an evolution of tradecraft,” Meyers said. “It shows a deep understanding of multi-cloud environments and the identity fabrics that tie them together.”
A sustained lack of insight into China’s already achieved goals and what these persistent backdoors might ultimately allow attackers to accomplish down the line is startling.
The Brickstorm campaign effectively blends objectives spanning espionage, intellectual property theft and persistent access that attackers could use for follow-on malicious activity, Larsen said.
The nation-state attackers are also remarkably stealth, exploiting gaps in networks where detection tools can’t be deployed and prioritizing the compromise of perimeter and remote access infrastructure where log retention is often insufficient to determine the initial access vector, he added.
“Identifying this activity is exceptionally difficult because it targets appliances and edge devices that are often poorly inventoried and unmonitored,” Larsen said. “This level of operational security and the focus on ‘unmanageable’ devices places it among some of the most evasive nation-state activities we track.”
